diff options
| author | Xin Long <lucien.xin@gmail.com> | 2018-09-03 03:47:10 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-09-04 00:57:54 -0400 |
| commit | af8a2b8ba7678b4695f9e854ba9abae1076beabe (patch) | |
| tree | b742478f7f6e75cfa5c4368a098474c4818c26e0 | |
| parent | bf68066fccb10fce6bbffdda24ee2ae314c9c5b2 (diff) | |
sctp: fix invalid reference to the index variable of the iterator
Now in sctp_apply_peer_addr_params(), if SPP_IPV6_FLOWLABEL flag is set
and trans is NULL, it would use trans as the index variable to traverse
transport_addr_list, then trans is set as the last transport of it.
Later, if SPP_DSCP flag is set, it would enter into the wrong branch as
trans is actually an invalid reference.
So fix it by using a new index variable to traverse transport_addr_list
for both SPP_DSCP and SPP_IPV6_FLOWLABEL flags process.
Fixes: 0b0dce7a36fb ("sctp: add spp_ipv6_flowlabel and spp_dscp for sctp_paddrparams")
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/sctp/socket.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index aa76586a1a1c..a0ccfa4b8220 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -2663,14 +2663,15 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params, | |||
| 2663 | SCTP_FLOWLABEL_VAL_MASK; | 2663 | SCTP_FLOWLABEL_VAL_MASK; |
| 2664 | trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK; | 2664 | trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK; |
| 2665 | } else if (asoc) { | 2665 | } else if (asoc) { |
| 2666 | list_for_each_entry(trans, | 2666 | struct sctp_transport *t; |
| 2667 | &asoc->peer.transport_addr_list, | 2667 | |
| 2668 | list_for_each_entry(t, &asoc->peer.transport_addr_list, | ||
| 2668 | transports) { | 2669 | transports) { |
| 2669 | if (trans->ipaddr.sa.sa_family != AF_INET6) | 2670 | if (t->ipaddr.sa.sa_family != AF_INET6) |
| 2670 | continue; | 2671 | continue; |
| 2671 | trans->flowlabel = params->spp_ipv6_flowlabel & | 2672 | t->flowlabel = params->spp_ipv6_flowlabel & |
| 2672 | SCTP_FLOWLABEL_VAL_MASK; | 2673 | SCTP_FLOWLABEL_VAL_MASK; |
| 2673 | trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK; | 2674 | t->flowlabel |= SCTP_FLOWLABEL_SET_MASK; |
| 2674 | } | 2675 | } |
| 2675 | asoc->flowlabel = params->spp_ipv6_flowlabel & | 2676 | asoc->flowlabel = params->spp_ipv6_flowlabel & |
| 2676 | SCTP_FLOWLABEL_VAL_MASK; | 2677 | SCTP_FLOWLABEL_VAL_MASK; |
| @@ -2687,12 +2688,13 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params, | |||
| 2687 | trans->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK; | 2688 | trans->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK; |
| 2688 | trans->dscp |= SCTP_DSCP_SET_MASK; | 2689 | trans->dscp |= SCTP_DSCP_SET_MASK; |
| 2689 | } else if (asoc) { | 2690 | } else if (asoc) { |
| 2690 | list_for_each_entry(trans, | 2691 | struct sctp_transport *t; |
| 2691 | &asoc->peer.transport_addr_list, | 2692 | |
| 2693 | list_for_each_entry(t, &asoc->peer.transport_addr_list, | ||
| 2692 | transports) { | 2694 | transports) { |
| 2693 | trans->dscp = params->spp_dscp & | 2695 | t->dscp = params->spp_dscp & |
| 2694 | SCTP_DSCP_VAL_MASK; | 2696 | SCTP_DSCP_VAL_MASK; |
| 2695 | trans->dscp |= SCTP_DSCP_SET_MASK; | 2697 | t->dscp |= SCTP_DSCP_SET_MASK; |
| 2696 | } | 2698 | } |
| 2697 | asoc->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK; | 2699 | asoc->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK; |
| 2698 | asoc->dscp |= SCTP_DSCP_SET_MASK; | 2700 | asoc->dscp |= SCTP_DSCP_SET_MASK; |